SpagoBI 持续性跨站脚本攻击漏洞

SpagoBI 持续性跨站脚本攻击漏洞

发布日期：2014-03-01
更新日期：2014-03-10

受影响系统：
SpagoBI SpagoBI 4.0
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 65911
CVE(CAN) ID: CVE-2013-6232

SpagoBI是开源的商业智能软件包。

SpagoBI 4.0及其他版本没有验证某些输入即返回给用户，在实现上存在持续性跨站脚本攻击，远程攻击者通过特制的请求，利用此漏洞可在用户浏览器内执行任意脚本代码。

<*来源：Christian Catalano
 
  链接：http://www.securityfocus.com/archive/1/531322/30/0/threaded
        http://www.exploit-db.com/exploits/32038/
*>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

In execution page can be visible a toolbar with various icons useful for
the user to perform actions related to the document runs.
The user can insert a note about the executed document.
The note is associated to the document with relative parameters value
and to the user.
It can be public or private, so public notes are visible to all users
while the private notes are visible only from the user creator.

An attacker (a SpagoBI malicious user with a restricted account ) can
insert a note with jasvascript code:

<object data="javascript:alert('XSS')"></object>

and save it in public mode.
The code execution happens when the victim (an unaware user) click on
annotate document detail.

This is not the only way to add malicious code in the SpagoBI web app.

建议：
--------------------------------------------------------------------------------
厂商补丁：

SpagoBI
-------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

www.spagoworld.org
http://forge.ow2.org/project/showfiles.php?group_id=204